Re: AW: AW: AW: Password in Tomcat 9.x
On Sat, Jan 21, 2023 at 02:24:46PM +0100, a.grub...@bluewin.ch wrote: > Hello Mark > > Then how do you manage the webserver certitficate in Tomcat? Where do you > store the password? I would like to do it of course always without, but the > architecture is like that I have. > > Webserver certificate.p12 > Webserver certificate.p12.pwd Password_today Password > tomorrow > > Tomcat/conf/server.xml > > I would like to reference the pwd file in server.xml. You cannot enter the > server and get to the directory until you do the sudo to its technical user. > > How can you do this? When you have an automated certificate approach running, > renewing certificates which are in the range to renew. > How to avoid setting ; in a password? This also causes or can cause issues. > > Thank you for your advice. More security is better, but it must be in the > position to be handled easy. Every manual change I want to avoid. I don't store the password. (Perhaps I should ask: do you mean the passphrase for the private key, or the passphrase for the PKCS12 container?) Here I have to create a Certificate Signing Request and send it to the registrar for signature. Since I am creating the private key at the same time, I can have it created without encryption. Perhaps the tools that you use have such an option? I generate the request and key with: openssl req \ -new \ -newkey rsa:4096 \ -nodes \ -keyout SOMETHING.key \ -out SOMETHING.req If I were packing up the certificate(s) and key in a PKCS12, I would use "openssl pkcs12 -export -nodes ..." (to leave the private key unencrypted). But, now that I've been researching it, there may not *be* a way to specify "no encryption" of the PKCS12 structure itself, only ways to express a zero-length password. Of course I pay strict attention to file and directory permissions. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: AW: AW: Password in Tomcat 9.x
On Thu, Jan 19, 2023 at 07:33:04PM +0100, a.grub...@bluewin.ch wrote: > I asked Thomas as well, if he knows if this could be solved with placing the > path to the file - in my opinion, this is a easy, safe possiblitiy to > allocate any certs. That would be very helpful to have such tomcat. I think there has been something missing in this discussion. Several people have advised removing the password from the credentials file. This is not just giving up and trading security for practicality. Storing a cleartext password on the same system with the password-protected object is equivalent to having no password, because anyone who can get the protected object can get the password from the same place. The only way that encrypting the container can increase security is to provide the password from outside the system whenever it is needed -- e.g. have an operator type it in. The purpose of encrypting the container seems to be to protect it *in transit from one system to another*, after which a human will decrypt it for use. So: it is unlikely that anyone will do more work on the code for no more benefit. When I think about it, this is just another layer of the reason that these credentials containers *can* be encrypted: such a file contains all of the materials which are needed to evade security, so there must be an external source of control to protect the contents: something which is not part of the materials and can be kept separate from them, carried by different means. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Mod_JK vs Mod_Proxy
On Mon, Dec 05, 2022 at 03:37:59PM -0500, Christopher Schultz wrote: > On 12/5/22 15:03, Cathy Spears wrote: > > Using Tomcat 8.5 and 9.0 with 32-bit Apache 2.4 and mod_jk. Are there > > benefits to using mod_proxy instead of mod_jk? Also, is there a > > planned end of life for mod_jk or will it continue to be supported > > for now? > Hopefully this will be helpful: > > https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http I read this as a question about mod_proxy_ajp vs. mod_jk. Happily using mod_proxy_ajp here for some years. Both work well but I very much prefer the way mod_proxy_ajp integrates with the proxy configuration in HTTPD. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: correct usage of properties to supply database port
On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote: > About context/context/value: I have this context.xml. Is the value > correctly inside the outer Context? > > > > name="jdbc/sgsdb/tbar" > url="jdbc:postgresql://localhost:5432:/tbar" > driverClassName="org.postgresql.Driver" > type="javax.sql.DataSource" > factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" > testWhileIdle="false" > testOnBorrow="true" > testOnReturn="false" > validationInterval="3" > validationQuery="select 1" > timeBetweenEvictionRunsMillis="3" > maxActive="50" > initialSize="3" > maxWait="1" > removeAbandonedTimeout="3600" > removeAbandoned="true" > minEvictableIdleTimeMillis="3" > minIdle="1" > maxIdle="5" > logAbandoned="true" > username="shoc" > password="password" > /> > > > className="org.apache.catalina.valves.AccessLogValve" > prefix="sgs_access" > directory="${SGSSRVR_AccessLogDir}" > maxDays="7"> > > > I don't think you can nest s that way, and I'm not sure what it would mean. I would remove the inner pair. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: javax.servlet vs jakarta.servlet?
On Thu, Dec 30, 2021 at 03:16:51PM -0500, Michael B Allen wrote: > On Thu, Dec 30, 2021 at 10:57 AM Christopher Schultz > wrote: > > > > You mean like ServletContext.getRealPath? > > Honestly I'm not sure how I feel about getRealPath. On the one hand, I > don't think it's reasonable to just pretend that applications only > exist in the vacuum of space. There are many practical reasons why an > application might want to interact with the filesystem but without > requiring absolute paths. Just because there might not be a file > system is a weak excuse to not properly account for one. Being able to > update a file of properties for example and have the application see > that the file is updated without reloading the webapp (maybe even if > the app is packaged as a war) is very useful. On the other hand I > don't think I would want another 10 classes just to create some kind > of ancillary webapp storage abstraction. I would say that servlet code should, in general, assume that nothing exists outside of the container except that which it is told about. It should not care where it is. If it needs to interact with a filesystem, it should be given paths into that filesystem as context parameters or environment objects. If I intended to make changes to an application's configuration without re-deploying, I would put the configuration elsewhere and configure the context with a path (or a Path) to it. You may wish to have a look at https://stackoverflow.com/a/12160863/2916377 -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: How to *properly* create and use a CATALINA_BASE installation
The Gentoo Linux packaging of Tomcat does a nice job of laying out separate CATALINA_HOME and one or more CATALINA_BASE trees, if you'd like something to study. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Re-Use TCP Source Ports if the Socket is Unique?
On Fri, Jun 25, 2021 at 12:46:03PM +, Eric Robinson wrote: > Olaf and Scott -- > > Thanks to both of you for your comments. I may have asked my question poorly, > since what you both described is the way I understand TCP to work. There is > no correlation between an incoming connection to tomcat and its outgoing > connection to a database backend, nor would I expect there to be. > > Perhaps a simpler way to ask my question is: when a server has multiple IPs, > which one does tomcat use as its source IP when it initiates a three-way > handshake with a remote machine? > > For example, suppose my server has IP addresses 10.0.0.1 and 10.0.0.2, and my > tomcat connector looks like this... > > port="8080" > protocol="HTTP/1.1" > address="10.0.0.2" > connectionTimeout="2" > redirectPort="8443" > /> > > Tomcat is now listening on IP 10.0.0.2. > > But here's the question. If tomcat needs to initiate a TCP session to a > remote machine (acting as a TCP client), will it use 10.0.0.1 or 10.0.0.2 as > the source IP of the outbound connection? I'm assuming it will use the same > IP that the connector is configured to listen on. man 7 tcp A client uses 'connect' and doesn't need to set a local address. Only a service needs to declare its own address and port. The kernel routing database knows which distant hosts should be reachable via each local address. 'connect' should use this to pick an address that can reach the distant host, assign an unallocated port, and send SYN to request a connection. So the answer to your question is "it depends on the service host's address and what networks the interfaces for 10.0.0.1 and 10.0.0.2 can see." -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Most recent security-related update to 8.5? And setting up access to Manager?
On Mon, Jun 21, 2021 at 12:42:56PM -0400, Christopher Schultz wrote: > On 6/19/21 11:31, James H. H. Lampert wrote: [snip] > > Also, while I'm here, can somebody point me to an example of how to code > > the Manager's RemoteAddrValve setting to allow access from, say, two or > > three arbitrary IP addresses? > > Take a look at the example configuration that ships with the Manager. It > already includes 2 specific IPs and one range. It's a regular > expression. If you aren't too good with those, find someone who is or > give a specific example and someone here can probably help. If you aren't too good at REs, or you just think that a long chain of ORed subexpressions, each of which contains far too many escaped dots, is too horrible to contemplate, you may also want to take a look at RemoteCIDRValve instead. https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_CIDR_Valve I got so tired of those eye-watering IP address REs that I wrote my own CIDR-based Valve some years ago, but I'm happy to discover that I can now throw it away and use one that ships with Tomcat. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Problem posting to Tomcat ssl connector ..
On Fri, May 28, 2021 at 01:32:47PM -0600, John Dale wrote: > Page loads fine. > > Other pages load fine. > > SSL handshakes are working until .. > > An Ajax post with a base64 encoded image in the data. > > I debugged up to the request and it's fine. > > I debugged the server and it's not reaching my component. > > Tomcat is killing the connection for some reason. > > Thought it might be maxSavePostSize .. bumped that up in the SSL connector. > > No dice. > > Request post is around 300K. > > What's going on!? I suppose there's nothing useful in the logs? Can anyone suggest adjustments that might log relevant observations? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: [EXTERNAL] Re: tomcat timeout
On Thu, Apr 15, 2021 at 08:25:12PM +, Mohamed Eliyas Abdul Kadar wrote: > I am generating report for a year, normally this takes 5 mins on weblogic > server. We are migrating to tomcat and it does not show any error. In > developer tools I see timeout for that request. I faced a similar issue some time ago, and decided that it was an application design error. I introduced a progress meter that polls periodically until the report generation completes or fails and, incidentally, gives the user an indication that service of the request is proceeding and has not simply hung or been dropped. Other possibilities: o The request causes a background thread to generate the report and email it when complete. o A first request causes the report to be generated in a holding area, perhaps sending an email when completed; a second request fetches the completed report. I decided that just lengthening timeouts was a losing strategy, because these particular reports can be requested over any portion of a record set that steadily grows in size, and can thus take longer to generate every month. Your situation may be different. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: [OT] programming style or mental process ?
I've appreciated this discussion. It's caused me to think a bit more about my use of this pattern. [regarding tests for null references] This has got me wondering why there is no operator for such an irritatingly common need: if (my_reference isNull) { ... } -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it. The beginning of this page might be helpful: https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html Simply: the message is saying that the customer's CA signed this certificate in a way that's not now believed by the browser's authors to be sufficiently secure. I don't know what tools are available in the AS/400 environment, but here's how I would use OpenSSL on Linux to inspect a certificate: $ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Certificate: Data: Version: 1 (0x0) Serial Number: 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 Validity Not Before: Oct 1 00:00:00 1999 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 etc. The "Signature Algorithm" is what the message is about. Here it says that the certified public key was signed by hashing it with SHA1 and then encrypting the hash with the CA's RSA private key. I just remembered that your browser probably has a way to display details of a certificate, too. BTW that certificate above was issued in 1999, when SHA1 was considered sufficient. Certificates created today should be using a stronger hash. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Session attribute disappears across requests
[Session attribute disappearing between requests] *sigh* Brown paper bag error: the original-request handler was cleaning up the value before it could be read by the progress-request handler, when the original request *does not* run a long time (e.g. zero records to summarize). That's the wrong place to clean it up anyway. Sorry for the noise. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Session attribute disappears across requests
Background: client request starts a long-running procedure which eventually returns a calculated result. I want to provide a progress meter so that the user knows that the request is still running. The page where this happens periodically fires an AJAX request to sample the progress of the procedure which is generating the response to the original request. The code which handles the original request adds a session attribute which references an object that knows how to get the current value of "progress". The code which handles the AJAX request looks up this session attribute to provide its response. The first AJAX request fires one second after the original request, confirmed by examining the application's log. This all happens in a single instance of Tomcat 8.5.55 using the StandardManager with all its default settings, i.e. there is no Manager element in the configuration. I don't require persistence across restarts. Problem: the attribute is definitely being created by the original-request handler, because I can see its name in the enumeration returned by Session.getAttributeNames in that handler after setting the attribute, and it definitely has a value there. However, one second later, in the AJAX-request handler the same Session (yes, I checked the session IDs and they match) does not contain an attribute with this name, though it contains all of the other attributes that were enumerated in the original-request handler. The object referenced by the attribute does not implement Serializable and it would be difficult to do so. But it doesn't seem to me that this is necessary in the circumstances: not clustered, not using PersistentManager. Where did I go wrong? I'm considering other ways to coordinate the two requests, but I'd like to know why this one isn't working. Possible confounding factor: this is a Cocoon 2.2 application, and the HttpSession in both handlers is actually an org.apache.cocoon.environment.http.HttpSession. But I'm accessing the attributes the same way in both handlers -- I actually copy/pasted my debugging code -- and the session shows my attribute in one but not subsequently in the other. Bonus question: this AJAX activity isn't going to have any effect on whether the original request times out, is it? So I probably need a broader re-think. (All the traffic is proxied through Apache HTTPD via AJP.) -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: JNDI match of LDAP hashed passwords fail against cleartext
On Mon, Apr 20, 2020 at 12:17:54PM -0400, Christopher Schultz wrote: > Hmm. The LDAP stuff I think wasn't me, but I understand it a little > bit. Brian, is there a standard I can read for this? I'm familiar with > LDAP servers storing credentials with "{sha}" prefixes but not others. > Honestly, for an LDAP backend, I'd expect the LDAP server to be > checking the credentials sent by the client, not to have the client > fetch the credentials and do its own checking. That's the whole point > of delegating authentication to the LDAP server. The point of "client fetches credentials via LDAP to do its own checking" seems to be *not* to delegate authentication, but to use the directory as a store of hashed credentials. The only reason for doing this that I've been able to come up with is that in this setup there is no reason why the enterprise user has to be a directory user, i.e. only a handful of directory administrators and service accounts can actually authenticate identities *to the directory*, while many objects have credentials stored in a different attribute that the directory itself does not use for authentication. Minimizing access to a central store of identity and authorization makes sense in some settings. I get the feeling that the X.500 designers deliberately left specific applications (like authenticating identities in other products) as an exercise for the client designer, so as not to foreclose clever uses they hadn't thought of. One result is a rather Wild West approach to using directory services for authentication. (I see this also in services dedicated to authentication: seemingly no two organizations use CAS in the same way.) -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31
On Thu, Mar 05, 2020 at 01:52:57PM +, Piyush Kumar Nayak wrote: > Is there a way to get Tomcat's AJP connector to bind to both IPv4 and IPv6 > loopback addresses. > > By default, it seems that Tomcat binds to IPv4 loopback > Default connector config : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > > netstat -ano | findstr 8014 > TCP 127.0.0.1:8014 0.0.0.0:0 LISTENING 8616 > TCP 127.0.0.1:8014 127.0.0.1:57510 ESTABLISHED 8616 > TCP 127.0.0.1:57510 127.0.0.1:8014 ESTABLISHED 11800 > > Introducing the address attribute like so : > packetSize="65535" secret="xxx" tomcatAuthentication="false"/> > binds it to IPv6 loopback > TCP [::1]:8014 [::]:0 LISTENING 8616 > TCP [::1]:8014 [::1]:57522 ESTABLISHED 8616 > TCP [::1]:57522 [::1]:8014 ESTABLISHED 6564 > > Is there a way to make it bind to both the loopbacks. The problem we are > facing is our Tomcat installations can have connector configured with IIS or > Apache HTTPD. > Apache connector, by default seems to make a socket connection using the > address ::1 (IPv6 loop back address), whereas IIS connector tries to bind to > the IPv4 loopback. Two things I would try: 1. Two connectors, one with address='::1' and the other with address='127.0.0.1', both with port='8014'. 2. Configure the other end explicitly: tell HTTPD and IIS which address to use, and then configure your AJP Connector to match. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: no temp directory creation wanted when embedding Tomcat
It seems to me that the problem may be, that you are trying to use Tomcat but cut away most of its raison d'etre. Asking Google for "embedded web server java" will give you a lot of other possibilities to explore, some of them extremely simple. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: log4j app logging
On Wed, Dec 19, 2018 at 06:52:20PM +, Lemke, Michael ST/HZA-ZIC2 wrote: > On December 19, 2018 6:54 PM Lemke, Michael wrote: > >On December 18, 2018 8:52 PM Christopher Schultz wrote: > >>On 12/18/18 12:42, Lemke, Michael ST/HZA-ZIC2 wrote: > >>> I have an old webapp that uses log4j 1.2 and which I am trying to > >>> deploy on tomcat. For the heck of it I can't get tomcat to use the > >>> log4.properties file. What am I doing wrong? > >> > >> > >>How are you initializing log4j? > > > >Good question. I just dug a little and have to say I don't know. It > >is a myfaces 1.1 application and I just realized jsf has logging built > >in somehow. I can't find any explicit call to Logger.getLogger in the > >code. > > > >I guess I have a terrible mess of all sorts of loggers in my libraries. I am > >not good at all the different Java loggers. The log4j.properties I want > >to use is for log4j-1.2.27 so not quite bleeding edge ??. Then there are > >other libs that pull in slf4j-api-1.7.25.jar, there is a > >jcl-over-slf4j-1.7.25.jar, > >logback-classic-1.2.3.jar, logback-core-1.2.3.jar. > > > >Well, I do get quite lot of logging from the app in the tomcat logfiles, so > >something is working. But I don't know how to configure it. > > > >This used to work when I ran it on resin but I also changed quite a bit on > >the code when I switched to tomcat. I'll try without all the new stuff. > > And this was it. The old version without the stuff that pulls in all the other > log libraries it works. So tomcat is out of the loop. Sorry for the noise. > (But if someone has a hint on my mess I wouldn't mind.) If this happens to be a project built with Maven then 'mvn dependency:tree' should tell you which artifacts are pulling in SLF4J. You may need to run this more than once as you comb out transitive dependencies one by one. But it's possible to use multiple logging frameworks in one webapp. if you include/exclude the right artifacts. See https://www.slf4j.org/legacy.html if you need to do this with SLF4J and Log4J v1. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Number of Web Applications in one Tomcat
On Mon, Oct 29, 2018 at 09:00:27AM +0100, Ahmed, Tarek wrote: > TLDR? Do you deploy one web application per tomcat instance or several? We have one production host with several related webapp.s in a single Tomcat instance, and another production host with three instances of that same single product (i.e. clumps of related webapp.s) in a single Tomcat instance. It works well. In development I have at times as many as a dozen of those clumps running in a single Tomcat, alongside various other applications also in that single Tomcat. It rarely causes trouble, and in development I can always bounce it if I need to. A couple of comments: o "loaded classes may not always be unloaded cleanly, threads not closed etc." If I have this, it is either (a) an application bug, which I should fix, or (b) a buggy dependency, which I should report and complain about until fixed (or replaced). o An additional problem with multiple applications per container: ill-designed dependencies which are only configurable using system properties, when different applications need different configurations. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: JVM keystores and CA
On Fri, Oct 19, 2018 at 10:09:16AM +1100, Igor Cicimov wrote: [snip] > To conclude, the way I would expect the trust store to be used and the > whole validation done: > > 1. I use custom trust store because I need to load self signed certificates > that > I need to validate when connecting to lets say partner APIs that use self > signed > certificates and I know I can trust > 2. I would expect nothing else needed in this store as every other valid > certificate > under the sun is already located in default locations on the server Java is > running on > 3. In case JAVA_HOME/lib/security/cacerts is my trust store (the default) I > would > expect Java to use the system store(s) too in case a certificate can not be > validated > simply because a CA is missing in the Java store. Example, DigiCert Global > Root G2 > CA is missing in the Java versions older than 8u91 causing inexplicable > PKIX exceptions > but can be found in the system store, both under /etc/ssl/certs and > /usr/share/ca-certificates > which are (much) more frequently updated with new certs than Java versions. > This actually > applies to the case of custom trust store even more so > > Thoughts? There are two ways that a truststore can be inadequate. (1) It can lack a certificate that your application should trust. (2) It can contain a certificate that your application should NOT trust. Suppose that you had an application A which needs to distrust one of the CAs (X) that are trusted by the OS maintainers. And suppose that you had other applications on the same host which need to trust that same CA. The way it currently works, you can copy the systemwide JRE truststore once, remove from the copy the certificate for X, and tell A to use the copy as its truststore. Every other application can just default to the systemwide truststore. (This also works if you need to give A an additional trusted CA not needed by other applications, and are willing to trust all the other CAs.) The way you suggest it should work, you must remove X from all systemwide truststores of every type, and then configure a custom truststore for every application except A. Which is more error-prone? It shouldn't be difficult to write a script that makes a copy of the systemwide store and adjusts it to your application's specific needs. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Error Regarding RFC 7230 and RC 3986
On Thu, Oct 18, 2018 at 11:55:24AM +0100, M. Manna wrote: > Thanks a bunch Mark. > > "The correct fix is to ensure that the user agents are sending > specification compliant requests." - Do you mean at browser level ? If so, > is there any specific browser/update we can use? We've checked a few > browsers so far (Firefox, Edge, Chrome) and none of them seem to have this > option (or we might've missed it). [snip] > > > The URI we have for this problem has the following param (did work with > > > 8.5.28) > > > > > > defaultMessageType=true&locale=en_US&action=[key:label.edit] The browser did not actually *compose* that parameter, did it? If I had this problem, given only what I know from this thread, I would suppose that the page which contained an href having such a parameter is the source of the problem. Some link is improperly encoded. I would say it is debatable whether browsers should be "correcting" hrefs which are handed to them by some site. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Updating a working installation
"Is there an easy way?" Depends on what you find easy. :-/ I usually just load old and new server.xml into a maximized Emacs with two windows, and thoughtfully copy stuff over, after reading the release notes to learn of stuff to look out for. Other configuration I usually don't touch, and webapp.s should just copy over without much trouble. As for the keystore: I've recently moved that out of my Tomcat configurations into the place where I keep other certificates and keys, and I configure Tomcat to look for it there. So I just copy those settings over and the keystore stays where it was. I also tend to install the webapp.s elsewhere and just drop in external Context files to point to them, so copying these is a snap. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Security of AJP
On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > > Since AJP is not really needed by Tomcat; If I comment out the AJP > > startup line in server.xml will that affect anything. > > > > I still don’t even understand what its for. I have read the apache > > docs but it doesn’t mean anything to me.. Apache's description > > doesn't tell me anything. > > > > > > The AJP Connector element represents a Connector component that > > communicates with a web connector via the AJP protocol. This is > > used for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to > > handle the static content contained in the web application, and/or > > utilize Apache's SSL processing. > > > > That is mumbo jumbo. > > Is it? Well, it could be improved. For example, by using the widely-understood word "proxy" somewhere, or defining "web connector". Also by recalling that "Apache" is a huge array of various projects (including Tomcat!), while "Apache HTTP Server" refers to a specific web server daemon that can front-end Tomcat. One could even link "Apache HTTP Server" to 'http://httpd.apache.org/'. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Using Environment variables instead of Java -D properties for context.xml substitution
Well, there are several layers of problems here, with different ways of addressing them. Command lines are available using 'ps', so any secrets written on the command line are visible to anyone able to get a session on that host, for the duration of the command. There's no way around this that I know of. Process environment variables may also be visible to all and sundry, so moving secrets from the command line to the environment just makes slightly more work for the snooper. Removing them from the shell's environment after use may not help, because typically the environment is cloned when a process is forked, so the service process will have copies that aren't removed. The people who wrote the Servlet spec. seem to me to have been thinking that the context for an instance of an app. would be generated by an installer program or by the container's management tools. You could write a simple script to generate a context declaration which is customized for a specific instance. Unlike the command line or the process environment, files (such as a free-standing context declaration) can be protected by the filesystem. This is your best noninteractive bet. As mentioned by another, the way to limit availability of machine-readable secrets to the greatest extent is to require an operator to type them in at startup. However, you'll need to consider the consequences of this if your container is automatically started at system startup -- you may need a way to let an individual context's startup wait for an operator to appear without hanging the whole system startup procedure. (Automatic startup is another common thing that the spec. authors seem to have believed to be Somebody Else's Problem.) For completeness: in your own code, you'll also wish to ensure that you obliterate (not just discard) secrets as soon as you have no further need for them. That means that, within the JVM, they should only ever exist in mutable objects (not String, for example). -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: internalProxies regex
On Fri, Jan 12, 2018 at 12:31:39PM +0100, Harrie Robins wrote: > Wow, that will be great. And I think that many people would like this to be > implemented! > I volunteer to test this! > > Also, with many people fronting that machines with cloudflare / load > balancers, I think demand will increase for this. > I could just write a valve to replace the mod_cloudflare module that I used > in apache (mod cloudflare is mod_remoteip with settings predefined). > > Regards, > > Harrie > > -Oorspronkelijk bericht- > Van: Christopher Schultz [mailto:ch...@christopherschultz.net] > Verzonden: 09 January 2018 00:25 > Aan: users@tomcat.apache.org > Onderwerp: Re: internalProxies regex > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harrie, > > On 1/5/18 3:47 AM, Harrie Robins wrote: > > our tomcat application server are fronted by 1. cloudflare, and 2. > > amazon load balancer. In apache there is mod_remote IP and I can > > simply put in CIDR range: https://www.cloudflare.com/ips/ that will > > swallow all those IP and will get the correct IP to tomcat. > > > > In Tomcat I need > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve > s/RemoteIpValve.html > > > > > which does not accept CIDR range however. > > Have a look at this: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=51953 > > It was never merged into Tomcat, but if it got some additional interest and > testing, perhaps it could be added. > > - -chris There's also this: https://github.com/mwoodiupui/tomcat-extras -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: taglibs
On Mon, Nov 06, 2017 at 10:13:42AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Ray, > > On 11/6/17 9:48 AM, Ray Holme wrote: > > I am not the primary developer. I do Java and DB development. I > > leave the JSP for someone else (I am mostly retired but I have > > been doing this a LONG time).> But I deal with distributions and > > builds so I was the one who modified the "not to SCAN" > > libraries.2.5 minutes down to less than 1 second. > Fast and broken is worse than slow and working. :) > > > But I blew it with the jstl jars so I just wanted to know if there > > is any way to find out if the jar is a taglib. > So... generally speaking I would say "you should know your own > libraries" but it shouldn't be hard to determine which libraries are > taglibs. Simply look in each JAR file to see if there are any ".tld" > files. That's what I thought, too. I looked, and the jstl-api JAR doesn't contain any TLDs. The corresponding jstl-impl JAR does, though. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote: > We have installed apace and configured mod_jk connector along with a > load-balancer for 2 tomcat servers. > > We were able to successfully start apache and we got the login page of our > application hosted on it, but the functionality is lost. For example, when > we hit login button on home page, nothing happens. Also, we tried access > some specific web page using a direct url, we ended up with an error. > > Do you have any suggestion for me so that we can achieve the exact same > functionality that we had without apache in the front? Yes: o When you say, "we ended up with an error," tell us what the error message says. It is very difficult to diagnose an unknown error. o When you say, "nothing happens," what should happen, in detail? Check Tomcat's log files for the time at which nothing happened. Check your applications log files for that time. If the logs say nothing about the operation, then it's time to insert more logging in your application code, or attach a debugger and step through the code, to see what it is doing. o Your browser may have developer tools that can show you requests and responses, which may help you to determine what is happening. I like a Firefox add-on called Firebug, if you need a suggestion. o In general, if we are to help, we need a lot more detail than "it doesn't work." Too much information is better than too little. o My recollection is that this list does not forward attachments. If the evidence is too large to simply copy into an email body, you could post it on something like Pastebin or Github Gist and refer to the URL in your messages. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Where Tomcat webapp contexts live on Debian
Yes, many distributions lay out Tomcat the same way as every other daemon is installed in Unix (executables in /usr, volatile data in /var, configuration in /etc) and the startup scripts set CATALINA_HOME and CATALINA_BASE to make that happen. If you look in CATALINA_BASE, you may find symlinks like conf -> /etc/tomcat-7, as Gentoo does it, to explain the few things that can't be relocated by configuration. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Automatically compressing localhost_access_log after rotation
On 8/3/17 5:47 AM, Martin Knoblauch wrote: > is there a way to compress the localhost_access_log.#.txt file > automatically after rotation? There is, but maybe not one built into Tomcat. I have a daily cron job to run a script which looks for older logs and ZIPs them: LOGDIR=/var/log/tomcat-7 ZIP_OPTS='-9mou' # localhost for LOG in $(find ${LOGDIR} -mtime +7 -name localhost.-??-??.log | sort); do YEAR=$(echo ${LOG} | cut -d. -f2 | cut -d- -f1) zip ${ZIP_OPTS} /var/biglogs/tomcat/localhost.log.${YEAR}.zip ${LOG} done I have a bunch of these blocks in the script, so I ought to make one into a function and just call it N times with various arguments, but this works for me. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: This is weird: can't bind to 443
I'm always surprised that so little mention is made of the Commons Daemon approach: http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon which, among other things, lets Tomcat get privileged ports the same way that HTTPD (like most other daemons) does: start privileged, acquire protected resources, drop privilege, run. This *is* mentioned in RUNNING.txt, but somehow manages to be overlooked. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: sendFiles vs. compression
On Tue, Apr 18, 2017 at 02:03:19PM -0400, Chris Gamache wrote: > I had any frame of reference to base a decision on, I wouldn't have asked > the question. Ask any front-end engineer what the single best thing to do > to make a user's experience better when accessing a single-page web > application, they will say "enable compression" so why it isn't turned on > by default was a mystery, and that it plays second fiddle to serving static > file from the file system in an efficient manner was a double mystery. > > Perhaps if my fellow tomcat users would share their thought processes in > their particular situations for selecting one method over the other, that > might help me look at my own situation and make a good decision. Well, why does one want to use sendfile()? Why does one want to use compression? sendfile() can be more efficient on the server end, by reducing the number of context switches when sending large files: one switch into kernel mode is all that is needed to get the file sent. So if you have a lot of concurrent users and fairly large files, this economy might dominate the user experience. OTOH compression can make more efficient use of lower-bandwidth links, because it sends fewer bits in fewer packets to accomplish the same task. So if you have a lot of users on slow links then this economy might dominate the user experience. Note that compression uses more CPU at both ends, so a server already running flat-out or a large community of low-powered clients may eat up any savings, and then some. How to know which is most important? Measure! The simplest approach would be to try it each way and ask users how they experienced the result. If you have a lot of information about the distribution of bandwidth and CPU power across your user community, the amount of data to be sent per request, and the shape of traffic over time, you can make some shrewd guesses, but in the end the best solution is the one that does the job best, and the only way to know that is to test and see. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Tomcat base directory layout
On Sat, Mar 25, 2017 at 12:31:51PM +0100, Thomas Meyer wrote: > Does there exists a small helper tool that can create the minimum necessary > directories and files in a new CATALINA-BASE directory ? Or a template zip > file or something like this? > > Such a tool would be helpful, because I always struggle what directories are > minimum necessary to start a new instance. Not in the standard Tomcat kit, I think. Gentoo Linux has its own tomcat-instance-manager.bash script which does this. You might be able to adapt it. https://wiki.gentoo.org/wiki/Apache_Tomcat -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Tomcat log files - Strict permissions - setuid
On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote: > List, > > I'm trying to secure my tomcat instances. One of the steps I took > was to run the tomcat process using the non-privileged "tomcat" user, > and set the file system permissions as restrictive as possible. It all > works well, but there is something missing: "The tomcat user is able > to read the access log files": > > root@7083cdc8e2fc:/apps/tomcat/logs# ls -la > ... > -rw-rw 1 tomcat tomcat0 Dec 1 19:46 > 0.0.0.0_access_log.2015-12-01.txt One fancier approach would be to configure a log sink which passes records to another process through a socket -- syslog, for example. There are syslog Handler implementations for java.util.logging, or you could cook up a custom log recorder to receive from the stock j.u.l.SocketHandler, or you could configure Tomcat to use slf4j/logback and its syslog appender. This will not be simple but it will be quite adaptable. You should probably look at simpler methods first. > Is there any way to configure tomcat to be able to write to the > access log file, but have the file owned by root with permissions 600? > I understand that this is done by starting the tomcat process as root > and then dropping privileges using setuid() , but was unable to find > something already built / well documented. That is what the Commons Daemon tool (jsvc) is for. That should be a lot simpler. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: Tomcat Conflicting with Group Policy Client
On Thu, Nov 19, 2015 at 10:34:55AM +0100, André Warnier (tomcat) wrote: > I don't know anything about the various non-Tomcat softwares you are > mentioning, and just a little bit about Tomcat. But the one thing I > see in your Tomcat logfile, is that there seem to be a lot of TCP > connection errors of the kind "(Connection refused. Check that the > hostname and port are correct and that the postmaster is accepting > TCP/IP connections.)" These seem to be related mostly to > PostgreSQL. Maybe there is a limit (in the PostgreSQL > configuration) to how many connections it accepts at the same time ? > or maybe the PostgreSQL server is just overloaded ? There is. It is in postgresql.conf: max_connections. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS
On Wed, Sep 30, 2015 at 01:23:14PM -0700, Jason Britton wrote: > Hello Good People - > We currently have multiple Tomcat instances deployed on RHEL in production > with no issues but I am getting asked why we shouldn't migrate everything > to run on Windows 2008 R2 Server instead. My stomach churns at the thought > but I am looking for more concrete information about why this could be > problematic vs. running Tomcat on RHEL/CentOS. My gut says far more Tomcat > deployments in production are done on top of Linux based OS's vs. Windows. > Any thoughts on making an argument for one OS vs another in deploying > Tomcat 8? Thanks for your thoughts, I think it's going to boil down to: how well do the people who will operate and maintain Tomcat get along with each environment? I go with Linux because throughout a long association with Windows I found it frequently getting in my way, embodying invalid assumptions, and generally resistant to being used in the way I want to operate a host. Others will have the opposite experience. So, which kind do you have? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: Configuring E-Mail Session via JNDI
On Wed, Aug 05, 2015 at 09:12:14PM -0700, Tim Gustafson wrote: > I'm trying to configure an e-mail session in my Tomcat configuration like > this: > >auth="Container" > type="javax.mail.Session" > mail.transport.protocol="smtp" > mail.smtp.host="192.168.0.2" > mail.debug="true" /> That means Tomcat will have to have access to mail.jar, typically by placing a copy in Tomcat's /lib. Otherwise it can't load javax.mail.*. > From my web application, I'm instantiating a Session object like this: > > Context initialContext = new InitialContext(); > session = (Session) initialContext.lookup("java:comp/env/mail/session"); > > When I go to send e-mail from my web applet, I'm getting: > > java.lang.ClassNotFoundException: javax.mail.Authenticator Probably because the Resource could not be created. See above. > I find that error a little odd, as I'm not doing SMTP AUTH anywhere, > but I'll let that go for now. Based on documentation I found while > Googling that error message, I copied the mail.jar file from my > Netbeans library into Tomcat's lib folder, and now I get: > > java.lang.ClassCastException: javax.mail.Session cannot be cast to > javax.mail.Session As another noted, this happens when you have two copies of mail.jar available to the classloader tree, even when they are exact copies of each other. Don't include a copy in your application if it is to be provided by the container (which is required, if you want to use it this way). > Removing Java Mail from my Netbeans project does not appear to be an > option as it will refuse to compile the project without it. I use NetBeans with Maven, and in that context I would declare the mail dependency to be provided. I don't know how to do that in a native NetBeans project, but what you'd need to do is to tell NetBeans that javax.mail is required to compile but must not be included in the output WAR. Or you can just manually remove mail.jar from the built application before deployment. I have to do that with a community project that I haven't yet had time to fully adapt to injection. Doing it this way might be a good quick proof-of-concept for a nicer solution. In summary: place mail.jar in Tomcat's /lib and NOT in your deployed application. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: [OT] FileNotFoundException for existing JAR files
On Fri, Feb 13, 2015 at 01:21:13PM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 2/13/15 1:02 PM, Mark H. Wood wrote: > > On Fri, Feb 13, 2015 at 11:46:37AM -0500, Christopher Schultz > > wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >> > >> Alexander, > >> > >> On 2/12/15 2:26 PM, Alexander Johnson wrote: > >>> It looks like that's true. It turns out this wasn't a > >>> permissions issue at all. For some reason copying the JAR > >>> files out of the directory and back into it caused them to be > >>> picked up (I read this in a suggestion somewhere). Reading the > >>> 'man' entry for cp I see that it doesn't preserve "Access > >>> Control Lists (ACLs) and Extended Attributes (EAs), including > >>> resource forks" unless the -p flag is set (this is on by > >>> default when using mv). My guess is that removing this "access > >>> control" information somehow made the files accessible to the > >>> tomcat7-maven-plugin. It seems a little sketchy that I don't > >>> really know the root cause of the problem, but I'm happy that > >>> it's now fixed. > >> > >> Aah, yes: the ACL. That's one of those super-fun *NIX-isms that > >> can ruin your day. > >> > >> $ ls -l > >> > >> - -rwxrwxrwx chris chris 100 a_file > >> > >> $ cat a_file > >> > >> cat: a_file: Permission denied > >> > >> *grumble* > >> > >> The best part is that 'ls' doesn't show you there is a problem, > >> at least not directly. Everyone always forgets about the other > >> commands. > > > > The 'ls' that comes as part of Gnu Coreutils will, when built that > > way, add a "+" to the mask to show that there is an ACL on the > > object. (But that's all it does -- I still have to remember to > > use 'getfacl' to see what the ACL actually *says*.) > > Yep. > > - From Alexander's previous message, it did not seem like 'ls' was > notifying him about the presence of the acl. I checked the > gnu-coreutils man pages and info pages, and neither mention ACLs. Can > you give me a reference for the "+" thing? coreutils.info v8.21, section 10.1.2: "What information is listed". About 52% down the page: "[f]ollowing the file mode bits is a singe character that specifies whether an alternate access method such as an access control list applies to the file." You could just search for "alternate access method". -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: [OT] FileNotFoundException for existing JAR files
On Fri, Feb 13, 2015 at 11:46:37AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alexander, > > On 2/12/15 2:26 PM, Alexander Johnson wrote: > > It looks like that's true. It turns out this wasn't a permissions > > issue at all. For some reason copying the JAR files out of the > > directory and back into it caused them to be picked up (I read this > > in a suggestion somewhere). Reading the 'man' entry for cp I see > > that it doesn't preserve "Access Control Lists (ACLs) and Extended > > Attributes (EAs), including resource forks" unless the -p flag is > > set (this is on by default when using mv). My guess is that > > removing this "access control" information somehow made the files > > accessible to the tomcat7-maven-plugin. It seems a little sketchy > > that I don't really know the root cause of the problem, but I'm > > happy that it's now fixed. > > Aah, yes: the ACL. That's one of those super-fun *NIX-isms that can > ruin your day. > > $ ls -l > > - -rwxrwxrwx chris chris 100 a_file > > $ cat a_file > > cat: a_file: Permission denied > > *grumble* > > The best part is that 'ls' doesn't show you there is a problem, at > least not directly. Everyone always forgets about the other commands. The 'ls' that comes as part of Gnu Coreutils will, when built that way, add a "+" to the mask to show that there is an ACL on the object. (But that's all it does -- I still have to remember to use 'getfacl' to see what the ACL actually *says*.) -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: Restricting SSL access within webapp
On Fri, Aug 01, 2014 at 07:54:03PM -0400, David Kerber wrote: > On 8/1/2014 6:06 PM, James H. H. Lampert wrote: > >>> Why would you want to do that? Other than a few extra server CPU > >>> cycles, > >>> what's the harm in allowing SSL anywhere at the client's discretion? > > > > I'm with Chuck on that one. > > > >> From the docs: > >> > >> Also, while the SSL protocol was designed to be as efficient as securely > >> possible, encryption/decryption is a computationally expensive process > >> from > >> a performance standpoint. > > > > Well, I'll say that I find it rather irritating, when on my dial-up > > (YES, DIAL-UP) at home, that Google unilaterally insists on HTTPS unless > > you're signed on, and explicitly opt out of it. > > > > But then again, there are a LOT of web sites that are immensely > > bandwidth-intensive, and actively hostile to older browsers (that may > > nonetheless be the newest browsers available for a given combination of > > hardware and OS), all for no good reason (other than adware and > > spyware), and SSL is only a small part of that unnecessary waste of > > bandwidth. > > > > But that said, I think that when there's no overriding security reason > > to require SSL, and no overriding bandwidth limitation reason to > > prohibit it, it should be the user's call on whether to use HTTP or HTTPS. > > I don't think the problem is so much bandwidth as it is server CPU. > Encryption and decryption are very cpu-intensive tasks. Negotiating the session key is expensive, but it happens once per short session, and at long intervals for a long session. Most of the session uses symmetric encryption, which is far, far cheaper. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: environment-based properties files
On Thu, Jul 17, 2014 at 05:01:32PM -0400, Brandon M. Wagner, Triple Tech Inc. wrote: > > > On Jul 17, 2014, at 3:54 PM, Toby Lazar wrote: > > > > Hi, > > > > Say I have an application that uses a properties and/or XML file that > > changes per environment. I'd like to create the WAR once and promote it > > from TES -> STAGE -> PROD without modification. Is this approach sensible? > > Is there a recommended approach for externalizing it? Is it safe to > > append a folder to common.loader in catalina.properties that contains the > > properties file and just exclude that file from the built WAR file? > > I have used a properties file per environment by placing it in the lib > directory (since it's already in the class path). I still include a > properties file in the .war but it looks for an external one in tomcat first. > You can incorporate a checksum if you are worried about modifications to the > properties file. I guess you don't want to just set some Context parameters https://mhw.ulib.iupui.edu:8443/docs/config/context.html#Context_Parameters or Environment entries? https://mhw.ulib.iupui.edu:8443/docs/config/context.html#Environment_Entries -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: preserving content not in the war
On Mon, Jul 07, 2014 at 05:48:37AM -0400, Aryeh Friedman wrote: > I have auto deploy on (and want to keep it that way) but I also have > content that is not a part of the war and do not want it deleted on a new > reploy... namely I have xxx/content/ and I do not want that erased on > war deployment I tried symlinks and it nuked all the sym linked data on > deploy I would place the content elsewhere -- outside of Tomcat's directories altogether -- and pass its path in through the environment. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Where can I store data files in a tomcat war
On Wed, Jul 02, 2014 at 11:49:36AM +0100, Paul Taylor wrote: > I have a simple WAR based web application that uses Lucene created > indexes to provide search results in a xml format. > > Especially given the following context: > > and supplementary question how do I modify my pom file to do this > with maven > > I was under the impression that Paul was building a separate > application using Lucene during the build stage to create the > indexes, but then using an application - specific mechanism to use > those indexes. > > > That's what I thought, too. > Yes correct, let me explain it a bit further. I'm trying to deploy an > application that serves results from a lucene index in response to user > requests. Deploying it manually to my own server is fine, first of all I > just copy the index files to a location on the disk, then I deploy my > application, and within its web.xml I have a servlet parameter that > defines where the indexes are, so within the servlets init() method i > initilize the indexes. The problem is that I'm trying to deploy my > application to Amazon Web Services using autoscaled Elastic Beanstalk, > this means that the application has to be able to be initilized and > created based on what is in the war because Elastic Beanstalk will > automatically start new servers as required due to load and terminate > those instances when not required. So it sounds like this index is static, produced somewhere else and only consulted read-only by 1..N instances of your webapp. Could you not just plop one uncompressed copy of the index into an EBS snapshot in an S3 bucket, and map the snapshot to each EB instance? Then just provide environmental information to the webapp as to where it should find the index. Your huge index doesn't have to live in the WAR then. I have *very* little experience with AWS, so it's quite possible I'm missing something. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Any recommendations on heap settings for Tomcat on an AS/400?
I recommend that, whatever settings you use, don't just set and forget them. Monitor your memory usage and tune it to match the characteristics of your load. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Should validationQuery commit ?
On Tue, Apr 22, 2014 at 01:58:56PM +0200, Franck Routier wrote: [snip] > That said, I was hit by another (related) problem this week-end, with > Oracle. > The validation query was configured as 'select 1 from dual;'. Notice the > semi-column: this broke everything with intermittent ORA-12516 errors. > Removing the semi-column fixes my app with Oracle. > Has anyone an idea of what is happening with this ; ? I believe that the semicolon is a delimiter used by SQL*Plus (and many other interactive tools for DBMS access). It seems to be used by SQL itself only in the module language and embedded SQL, where a statement delimiter is needed. It's not part of an SQL statement, so it probably doesn't belong in a query string. Commandline tools need a statement delimiter, but statements fed to the DBMS programmatically are delimited by end-of-string. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat-user versus StackOverflow
On Fri, Mar 14, 2014 at 01:31:06PM +, Mark Thomas wrote: > While something that is effectively cross-posting is annoying for > those us subscribed to this list and who use stack overflow I can > understand folks wanting to seek help from a range of different places. I'm reminded of the repairman's story of arriving at a site and discovering he'd been entered in a race: the customer had called two other repair shops as well, and apparently whoever arrived first got the job. He was unhappy about that. I can understand why. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat-user versus StackOverflow
I don't think I've ever had to ask a question on SO because there's nearly always someone else who has already asked my question and it's easy to search. So my tendency is to let Google fish in SO (and the rest of the world) for my question, rummage a bit, and then try to find an ML for the product in question if my need is unusual. I'd probably ask on SO if I couldn't find an ML or the ML proved unhelpful. Neither of which is true of this list. But then I'm such an old fossil that I think email is still useful. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat and Spring Framework
On Mon, Mar 10, 2014 at 09:32:05PM -0400, Rossen Stoyanchev wrote: > On Mon, Mar 10, 2014 at 3:58 PM, Mark H. Wood wrote: > > > It's probably worth asking what "full-fledged enterprise applications" > > means. I'm not aware of any specification with that title. > > Indeed there is no such specification. The point is that Java enterprise > development is not always defined nor does it have to be defined by specs. > The spec development process is tricky at best. You have to do it not too > early (ahead of experience) and not too late either. > > Open source is actually in a much better position to evolve continuously by > capturing developer feedback and providing results quickly. So certainly > don't discount just because it's not a spec. I wasn't discounting Spring; I use it and like it. I was discounting empty phrases like "full-fledged enterprise application" which could mean anything, or nothing. When someone offers me support for "full-fledged enterprise applications" I do not know what facilities and APIs I can rely on; when someone offers me JEE 6 or Spring 3.2 or something else with a definition, I do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat and Spring Framework
It's probably worth asking what "full-fledged enterprise applications" means. I'm not aware of any specification with that title. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat v6.0.20 - Cannot Remove Date From JULI Log File Names
On Wed, Jan 29, 2014 at 10:27:13AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 1/29/14, 9:49 AM, Mark H. Wood wrote: > > On Tue, Jan 28, 2014 at 12:32:22PM -0500, Daniel Mikusa wrote: > >> On Jan 28, 2014, at 12:05 PM, Vye wrote: > >>> I have been unsuccessfully trying to remove the date from > >>> catalina’s log file name. My ultimate goal is to logrotate the > >>> file, which is best done when the file name is static. > >> > >> I’m curious, why are you trying to do this? The log files are > >> being rotated out-of-the-box. They rotate by date, hence why the > >> date is part of the name. Why do you need to rotate them with > >> some other tool? What doesn’t work about the out-of-the-box > >> configuration? > > > > I agree. logrotate is a very nice crutch for use when the > > application doesn't rotate its own logs, but it is better to use > > the application's rotation code when it exists, since the > > application (with full knowledge of its internal state) can do this > > more safely and efficiently than any external tool. > > I actually like logrotate's capabilities for maintaining a set of log > files: rotate, compress, delete, script, etc. I agree that logrotate's set of features is quite nice. > > Cleaning up old log files is easily done with a simple cron job, > > if the application does not trim old files. That operation can be > > done just as well externally as internally. > > Sure, you can do this with scheduled scripts, but it logrotate is > willing to do that work for you (e.g. easier commands, etc.) why not > use it? logrotate works very well for logs created by short-lived processes. No particular coordination is required, when the source of the log starts, opens the file, writes a few records, and exits, from time to time. Long-running processes require coordination, or else the new file may sit empty for hours or days while the old file continues to receive the log entries. logrotate has ways to handle this: o send the process a signal that causes it to close and reopen logs. I don't think Tomcat has this. jsvc does, and so (if you use jsvc to start Tomcat) you can use this to rotate catalina.out. There's some good stuff about this at http://wiki.apache.org/tomcat/FAQ/Logging#Q10 but it's for sysout, not logging packages like JULI. I see some intriguing notes there about logrotate's 'copytruncate' option, which I'll have to read up on. o run a command that somehow causes the process to close and reopen logs. I don't think Tomcat has this. o stop and restart the daemon, which forces a close/open of the logs. It takes Tomcat several minutes to restart here, and while I'm looking at ways to trim startup time, I really don't want to bounce our services *at all* just to tidy the logs. Thus I prefer to let Tomcat rotate its logs, since it can do that without interfering with its operation, and to provide scripts to handle trimming or archiving or other post-processing of the closed logs. [just to be thorough] There are other options in some cases. o Apache HTTPD comes with 'rotatelogs', a filter that absorbs text and writes it into files with a maximum size, maximum age, date-stamped names, etc. If there's a way to connect log output to a pipeline, a daemon that does not contain rotation logic can still have rotated log files without restarting. o Some syslog packages work well with logrotate (using the signal mechanism), so if your daemon can log to syslog then the rotation can be handled downstream. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat v6.0.20 - Cannot Remove Date From JULI Log File Names
On Tue, Jan 28, 2014 at 12:32:22PM -0500, Daniel Mikusa wrote: > On Jan 28, 2014, at 12:05 PM, Vye wrote: > > I have been unsuccessfully trying to remove the date from catalina’s > > log file name. My ultimate goal is to logrotate the file, which is > > best done when the file name is static. > > I’m curious, why are you trying to do this? The log files are being rotated > out-of-the-box. They rotate by date, hence why the date is part of the name. > Why do you need to rotate them with some other tool? What doesn’t work > about the out-of-the-box configuration? I agree. logrotate is a very nice crutch for use when the application doesn't rotate its own logs, but it is better to use the application's rotation code when it exists, since the application (with full knowledge of its internal state) can do this more safely and efficiently than any external tool. Cleaning up old log files is easily done with a simple cron job, if the application does not trim old files. That operation can be done just as well externally as internally. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: [OT] Out of memory exception - top posting
On Thu, Jan 23, 2014 at 09:24:41PM -0500, Howard W. Smith, Jr. wrote: > On Thu, Jan 23, 2014 at 2:08 PM, André Warnier wrote: > > Either people don't read the rules, or they do not understand the rule, or > > they just ignore it. > > I agree. As a tomcat/tomee user, I joined the list, primarily, to listen in > on topics (that interest me), so I learned, very quickly, that top-posting > is not preferred, here. I may have said this before, but: too bad there is no standard "List-Rules:" header to provide machine-readable hints, so that a conforming UA could remember them from the subscription response or latest-read message and at least give the user some suggestions. Rules like "no attachments" could be acted on by the UA; rules like "no top-posting" require human judgment but could be advertized by the UI. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: [OT] Out of memory exception - top posting
If I can't figure out what the post is talking about by looking at the first 50-60 lines, I usually just hit D and move on. If, by some miracle, the poster really needed to reach *me*, he may eventually ask why I don't respond, and then I can tell him privately why I find his messages unintelligible. This also limits the effort I waste on messages that are all quotation, with no original content. I suspect that lots of email users expect the UA to do the Right Thing, while UA designers understand that this is a thing which the UA cannot do because it requires understanding of the content. So the UA punts, leaving the cursor at the top of the message, and the trusting user thinks this is what should happen. The *adept* user knows that editing and composition make his work more effective, and is guided by training and experience rather than the UA. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: how to reply
On Wed, Nov 06, 2013 at 02:18:36PM -0700, Jay Vee wrote: > I subscribed to this email list using the digest format; How do I freaking > reply now? Ask the people who made your email user agent. It's their problem. Digest format is standardized, but every client implementation is different. > I see a reply to a previous response, to construct a reply I have to > cut-copy-paste into another message. It's not easy. Indeed. That's one reason I never resorted to digest format. > Can you people install forum software already and get rid of the freaking > email list? cheez. I sincerely hope not. I'd have to write something to scrape the messages out of the forum and turn them into email. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: problem with Remote Address Filter
On Thu, Sep 12, 2013 at 01:14:58PM -0700, Garey Mills wrote: > I'm running Apache Tomcat Version 7.0.29. I have inserted a Remote > Address filter into server.xml inside of the tag. It is not blocking > addresses that are not in . That's probably because Filters don't go there. They are configured in web.xml. http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Introduction See RemoteAddrValve for a component that can be configured in server.xml or an external Context descriptor. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter > I am using the Remote Address filter because I want to allow access > only to addresses in our institution's community. This is a large > institution and we have 4 or 5 class B address ranges, maybe 10 class Cs, > and a number of broken ranges. The regular expression runs to 8181 > characters without doubling up on \. It does, however, work in a test Java > class that I wrote, correctly allowing and disallowing a test group of > addresses. > > One question I have is that the example in > > > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter > > has single backslashes, but in order to make the pattern work in my test > class, I had to double up on the slashes. I took a look at the > RequestFilter code, and it looks like the pattern string is just passed to > Pattern.compile, so the pattern in the filter should need double slashes. > I've tried it both ways and neither worked. If you are calling the filter from Java code, you probably are passing it the pattern in a String constant. The double backslashes are needed to get single backslashes into the content of the String, because they are string escapes in Java and must themselves be escaped. The Tomcat configuration files are not Java and the conventions are different. Single backslashes work just fine for me with the RemoteAddrValve, and I don't see why they should not work in configuring the RemoteAddressFilter. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Option to allow "\" in hardcoded file paths
On Tue, Aug 06, 2013 at 03:05:44PM +, Jeffrey Janner wrote: > Had a programmer build a filepath using "\" instead of "/" , because he's > windows centric (duh). Probably should be using java.io.File.separator. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: 6.0.16 vs 6.0.37 puzzle
I would first look in the Tomcat log files to see if anything useful is recorded at the time of the blank response. I'd also ask the browser to display the page source to see if it's actually empty or contains something (perhaps quite a lot of something) that renders as an empty page. It might be instructive to look at the browser's error console too. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Delayed WAR expansion, timeout on context startup?
On Tue, May 14, 2013 at 12:17:10PM +0200, Mayr Stefan wrote: > Oh, that's a wonderful mix of applications and versions. Most common > are > > OS: SLES10 SP4, SLES11 SP2, both using TrendMicro ServerProtect 3 > Java: Java 6 U20,U33,U37,U45; Java 7 U09, U21 > Tomcat 6.0.20, 6.0.35, 6.0.35; 7.0.26, 7.0.27, 7.0.32 > > Developers are crying when we move applications to the newer os with an > active antivirus scanner. This affects all version combinations. Aside: [wearing my *developer* hat] if developers are seriously affected by moving to a newer version of infrastructure, we need to learn to write less-brittle code. This should not be a big deal. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Why is context.xml no longer copied to Catalina/localhost/myapp.xml?
On Tue, May 07, 2013 at 04:45:39PM +, Jeffrey Janner wrote: > > -Original Message- > > From: Mark H. Wood [mailto:mw...@iupui.edu] > > Sent: Tuesday, May 07, 2013 8:41 AM > > To: users@tomcat.apache.org > > Subject: Re: Why is context.xml no longer copied to > > Catalina/localhost/myapp.xml? > > > > On Mon, May 06, 2013 at 04:35:19PM -0400, Jesse Barnum wrote: > > [snip] > > > I am sure that this would be out of scope, but if we pictured an > > ideal scenario, it seems like there would be one configuration file > > that is tightly managed by the developer, which is replaced when the > > app is redeployed, and a different configuration file that is intended > > for end user customization, which is stored separately. > > > > Well, the developer can simply pack into the app. whatever internal > > configuration is needed, since he has ready access to the interior of > > the app and can deposit on the classpath *.properties, *.xml, or > > anything else he wants. He can have no certain knowledge of the app's > > runtime environment and should not assume, only specify requirements, > > and provide sensible defaults when there are some. > > > > The deployer, OTOH, has ready access to the app's environment, > > including its Context, but should not be assumed to have such access to > > the interior of the app. > > > > So this division of labor depends on the developer's discipline in > > distinguishing internal vs. external configuration and coding the app. > > to look in the proper place for each. I don't see a good way for the > > container to make up for incorrect design in this area. > > > > That's perpetual dilemma for those of us who develop our apps for commercial > distribution. > We usually don't have access to a lot of needed information about the > deployment environment, and really don't want to know that much. > We don't normally have things like machine names, database names, schema > names and passwords, etc., and our customers are usually reluctant to provide > that information to us, at least prior to on-site install (if there is one). > So that sort of stuff has to be in a location that it is relatively easy to > point the SysAdmin towards and tell him what should be modified (or done via > an install script, where possible). > And in any case, I don't want to have to modify several hundred context.xml > or properties files, etc. and then generate individual war files for each > customer. I already have my hands full just creating the half-dozen > variations of our product each release. Exactly my point. You shouldn't have to concern yourself with instance details; those are the customer's concern, and the most contact you should have with them is in the case that you want to provide a wizard to write the instance configuration for the customer. The customer only needs to know what the variables mean, in terms of his operation, and how they are named. ${CATALINA_BASE}/conf/[enginename]/[hostname]/[appname].xml is easy to find and should contain almost entirely only stuff that the customer might need to adjust. Things the customer isn't concerned with shouldn't be in there, outside of a couple of necessary attributes of the element itself. You can supply a wizard to write it, if need be. If you want to do it all for the customer, you can ship a standard, uncustomized WAR and a small file (perhaps a Context descriptor file) with all the custom settings in it. You could probably build a Web page to write the customizations file from a form and download it, if the customers would accept that. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Why is context.xml no longer copied to Catalina/localhost/myapp.xml?
On Tue, May 07, 2013 at 01:17:40PM -0400, Jesse Barnum wrote: > On May 7, 2013, at 9:40 AM, "Mark H. Wood" wrote: > > Well, the developer can simply pack into the app. whatever internal > > configuration is needed, since he has ready access to the interior of > > the app and can deposit on the classpath *.properties, *.xml, or > > anything else he wants. He can have no certain knowledge of the app's > > runtime environment and should not assume, only specify requirements, > > and provide sensible defaults when there are some. > > > > The deployer, OTOH, has ready access to the app's environment, > > including its Context, but should not be assumed to have such access > > to the interior of the app. > > > > So this division of labor depends on the developer's discipline in > > distinguishing internal vs. external configuration and coding the > > app. to look in the proper place for each. I don't see a good way for > > the container to make up for incorrect design in this area. > > > > -- > > Mark H. Wood, Lead System Programmer mw...@iupui.edu > > Machines should not be friendly. Machines should be obedient. > > Mark, can you give me an example of a use case where it is useful for the > deployer to modify parameter values in the META-INF/context.xml file? Assume > that at some point, a new version of the application will be deployed, and > also assume that the deployer does not wish to re-apply the same > customizations with each release. Well, not really. My point was that things the deployer will want to modify should not be in META-INF/context.xml; they should be in ${CATALINA_BASE}/conf/[enginename]/[hostname]/[appname].xml where they are easy for the deployer to get at without digging in the app. itself. I can't think of anything I would want to put in META-INF/context.xml, really. The developer doesn't need that layer of mapping; he knows where all the internal bits are and what they are called, because he decrees them. Keeping the Context descriptor outside of the app. means that it won't be replaced when you deploy a new release (provided that you don't put the app. in appBase). That's why I do it. > Without getting into the pros and cons of your first paragraph (which places > all responsibility for managing app preferences on the developer), would you > agree that the current approach (leaving the context.xml file in the web app) > is not fulfilling one of its intended purposes, which is allowing the > deployer to customize the application behavior? I would. I suspect that what people had in mind was that some installer program would automagically customize META-INF/context.xml, so that the app. actually deployed is not quite the app. which is shipped. I happen to think that 'tar', 'unzip', and 'cp' are the three best installers out there, and would rather put my per-instance settings somewhere outside the app. altogether. I very much appreciate the way that Tomcat makes that possible. I'm not sure what you mean by "places all responsibilities for managing app preferences on the developer". I thought that this division requires that the developer *not* manage preferences, which I take to be deployment details such as "where's my database?" or "what's the name of this business?" Those are the responsibility of the deployer; the developer is responsible for supplying values which are invariant across instances, but which might be convenient to gather into a .properties or some such. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Why is context.xml no longer copied to Catalina/localhost/myapp.xml?
On Mon, May 06, 2013 at 04:35:19PM -0400, Jesse Barnum wrote: [snip] > I am sure that this would be out of scope, but if we pictured an ideal > scenario, it seems like there would be one configuration file that is tightly > managed by the developer, which is replaced when the app is redeployed, and a > different configuration file that is intended for end user customization, > which is stored separately. Well, the developer can simply pack into the app. whatever internal configuration is needed, since he has ready access to the interior of the app and can deposit on the classpath *.properties, *.xml, or anything else he wants. He can have no certain knowledge of the app's runtime environment and should not assume, only specify requirements, and provide sensible defaults when there are some. The deployer, OTOH, has ready access to the app's environment, including its Context, but should not be assumed to have such access to the interior of the app. So this division of labor depends on the developer's discipline in distinguishing internal vs. external configuration and coding the app. to look in the proper place for each. I don't see a good way for the container to make up for incorrect design in this area. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: proper context usage
On Sat, May 04, 2013 at 06:15:25PM +0200, Istvan Devai wrote: > My problem is, that I'd like to configure a valve for only one deployed > application (deployed as a .war file) > > Here are the ways I've already tried: > > - Putting the element into server.xml. This works, however, > after doing this, the manager application won't let me redeploy the > application (gives an error message describing this). Usually not the best way. > - Putting the valve declaration into conf/context.xml. This also works, > however, this way the valve configured for all deployed applications, > which is not possible in my case (the valve is doing authentication > stuff, which I do not want to take effect for other apps, eg the manager > app) > - Putting the valve declaration into conf/Catalina/localhost/myapp.xml. > This also works fine, however this file is always deleted after > redeployment (as far as I know, this was introduced to tomcat 7, as > autoDeploy=false does not disable the deletion of context files). It sounds as though you are placing the app. into the appBase directory. Put it somewhere else and declare docBase=path-to-your-app and you should not have this problem anymore. I use this pattern extensively. > The official solution to this, - according to the manual - is to put the > context.xml file into the .war file itself. However, the problem with > this, is that the context contains database connections, mail sessions, > etc. that are different for every environment where the .war file is > deployed. That's why I'd like to stick with an external way of > configuration. Exactly why I have always been puzzled as to why one would ever want to place a context descriptor (which is most likely external information unique to a single instance) inside a webapp. > Questions: > - Any idea how to have an external, application specific (that is, > non-shared) context file that is not deleted on redeployment in the manager? See above. > - Or maybe deploy the app in a different way that retains the > app-specific context file? None that I could ever discover. When an app. is placed in appBase, Tomcat feels free to extract its own context descriptor and destroy same as needed. It can't tell our hand-built ones from its own extracts. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
On Wed, Apr 17, 2013 at 01:24:04PM -0500, Caldarale, Charles R wrote: > > From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] > > Subject: RE: Tomcat access log reveals hack attempt: "HEAD /manager/html > > HTTP/1.0" 404 > > > So you are saying it could be possible to know in advance that certain > > requests are for repeated requests of nothing or being made by a bot, > > versus regular legitimate requests, in order to move those bot requests > > off to another thread? > > Nothing of the sort. You simply put each 404 response on queue, and have an > existing timer thread send it out when the appropriate delay has been > achieved. No threads are tied up during the delaying action. However, sockets *are* tied up. We don't get this benefit for free; it costs both kernel and application memory. Even if the limits on these are infinitely adjustable, we might not want to adjust them that high because they are doing another job for us. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
On Wed, Apr 17, 2013 at 01:45:22PM -0400, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > André, > > On 4/17/13 1:27 PM, André Warnier wrote: > > Leo Donahue - RDSA IT wrote: > >>> -Original Message- From: André Warnier > >>> [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals > >>> hack attempt: "HEAD /manager/html HTTP/1.0" 404 > >>> > >>> > >>> That's the idea. That is one reason why I brought this > >>> discussion here : to check if, if the default factory setting > >>> was for example 1000 ms delay for each 404 answer, could anyone > >>> think of a severe detrimental side-effect ? > >> > >> What if I send 10,000 requests to your server for some file that > >> is not there? > > > > Then you will just have to wait 10,000+ seconds in total before you > > get all your corresponding 404 responses. Which is exactly the > > point. > > Sounds like a DOS to me. What you really want to do is detect an > attacker (or annoying client) and block them without having to use > your own resources. Maintaining a socket connection for an extra > second you don't otherwise have to do is using a resource, even if the > CPU is entirely idle, and even if you can return the > request-processing thread to the thread-pool before you wait that 1 > second to respond. Good advice in general, but "what you want to do" depends on what you intend to accomplish. If your objective is to carry on with legitimate business without too much interference from the bots, then the thing to do is to detect bots and stop listening to them. I think that André's argument is that we might prefer a different objective: to spend (a reasonable amount of) resources to harm bot performance so that people stop deploying the nasty things. This is worth pondering. It fits nicely with the view that "there are two classes of threats: those properly dealt with, and those still alive." The problem with active resistance is, of course, that when the bad guys stop deploying bots they'll start doing something else. To be effective for more than a moment, we need to surround all the enemy's tactical options. At that point a smart enemy will give up and go home, while a stupid (or desperate) one will come on and be destroyed. Either way, you win. But this is very hard to arrange. So we have to consider what going active will cost, and how the enemy's behavior will change. The reward is still there for him if he can grasp it. What's the next soft spot, and can we defend or harden it? Can we afford to win the bot battle, or is it better to just shrug them off? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: practical scenarios
On Tue, Apr 16, 2013 at 08:25:06PM +0200, Jakub 1983 wrote: > When is it useful to define context.xml in some other place than at > /META-INF/context.xml inside the application files ? > > When do you usually do it ? > Is it frequently used ? > I am not asking about theoretical possibilities, but how are they used in > practical scenarios. I almost *always* write a context descriptor to place in $CATALINA_BASE/conf/Catalina/$HOSTNAME/$CONTEXTNAME.xml, after placing the app. itself somewhere far from the appBase directory so that the descriptor won't be munged by Tomcat during deployment. I am actually a bit puzzled that it's even *possible* to place the context descriptor inside the app. I gather that I am in the minority, in this. But I feel that the app., whether packed or unpacked, should be treated as an opaque object, with deployment configuration data applied from the outside. I think that muddling the concerns of developers and installers is asking for trouble. (I also feel that an app. should be able to function without any configuration at all, at least to the point of telling me what I forgot to configure.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
On Tue, Apr 16, 2013 at 01:57:55PM -0300, chris derham wrote: > > Or, another way of looking at this would be that for every 40 servers > > scanned without a 404 delay, the same bot infrastructure within the same > > time would only be able to scan 1 server if a 1 s 404 delay was implemented > > by 50% of the webservers. > > This assumes that the scanning software makes sequential requests. > Assuming your suggestion was rolled out (which I think is a good idea > in principal), wouldn't the scanners be updated to make concurrent > async requests? At which point, you only end up adding 1 second to the > total original time? Which kind of defeats it. > > Again I'd like to state that I think you are onto a good idea, but the > other important point is that some (most?) of these scans are run from > botnets. These have zero cost (well for the bot farmers anyway). My > point is even if the proposal worked, they don't care if their herd is > held up a little longer - they are abusing other people > computers/connections so it doesn't cost them anything directly. Yes. But someone *does* own the botted computers, and their own operations are slightly affected. I have wondered if there is some way to make a bot so intrusive that many more owners will ask themselves, "why is my computer so slow/weird/whatever? I'd better get it looked at. Maybe I should install a virus scanner." If bots were killed at a much higher rate, that *would* affect the botnet masters. I have no idea how to make bots more visible by messing with their attacks, just wondering. Then again, my experience shows that when a computer slows down most people either just live with the problem or buy a faster machine. Ugh. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
On Mon, Apr 15, 2013 at 07:15:11PM +0200, André Warnier wrote: > Neven Cvetkovic wrote: > > How about creating a fake manager application :))) > > > > That takes X minutes/seconds to get back a 404 ;))) [snip] > Of course at the moment I am just fishing here for potential negative > side-effects. Search for "tarpit". There should be a lot of discussion. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: RE : Tomcat 6.0.35 Crashed again
Really, no one else can tell you what settings to use. The best we can hope for is some accepted rules of thumb *as starting points* for further tuning. I'd suggest choosing a tool that lets you easily monitor the memory pools, and checking it frequently as you adjust the pool sizes. If your applications are not leaking memory, the pools should each expand to a certain size and then tend to stay there. I would set each pool's initial size slightly larger than its steady-state size, and set some additional headroom on its maximum size to cope with unpredictable demand bursts. (Actually I would leave most of them alone and just tune the ones that seem significantly out-of-tune.) I suggest continuing to monitor memory behavior on a regular basis. Your load probably varies over time, and different versions of code behave somewhat differently. I have a repeating reminder on my calendar to check my Tomcat instances weekly. I use PsiProbe for peeking inside Tomcat, but there are a number of other good tools. As your Tomcat tuning progresses, you'll find what its overall size "ought to be", and can then consider tuning and perhaps resizing the surrounding system. A well-tuned servlet container running in a poorly-tuned OS or undersized hardware will still underperform. The general plan here is the same: start with an educated guess, observe, adjust, monitor -- Mark H. Wood, Lead System Programmer mw...@iupui.edu There's an app for that: your browser pgpH1Gyl2LNzZ.pgp Description: PGP signature
Re: tomcat 6.0.35 in production maintaince
On Thu, Mar 14, 2013 at 07:13:20AM -0700, fachhoch wrote: > every few seconds a new session is begin created from an ipaddress , I have > no clue who owns that ipaddress , how can I find more about that > ipaddress? 'whois'. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu There's an app for that: your browser pgptV0Om_cGmR.pgp Description: PGP signature
Re: Nagios plugin script for use with JMXProxy
On Tue, Nov 27, 2012 at 05:37:18PM -0500, Christopher Schultz wrote: > I have developed a Perl script that can be used with Nagios to check > on a Tomcat instance via the manager's JMXProxyServlet. Someone asked > me to publish it, which I'm happy to do. I'm just wondering what the > best thing to do is. Allow me to add my thanks! > I see several options: > > 1. Submit a patch to the Tomcat source > 2. Drop the file into the Tomcat wiki > 3. Stick the file on Apache's related-projects stash >-- I have forgotten the address at this point :( > 4. Host it on my own website Maybe Nagios has a third-party plugins corral? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu I don't do "doorbusters". pgpnNSX0H6LHV.pgp Description: PGP signature
Re: tomcat6 with crl doesn't load
On Tue, Nov 27, 2012 at 12:56:38PM -0500, Will Nordmeyer wrote: > My problem comes when I attempt to implement Certificate Revocation > List checking. The Government has a root certificate and about 20-30 > different intermediate certificate authorities that could have issued > the user certificate. I have loaded the root and intermediate > government certificate into my local truststore and am loading it > properly (based on the fact that the user certificates are recognized > and accepted). > > I have downloaded all the root certificate CRL data and each > individual CA's CRL data. Through the openssl commands, I converted > them to PEM and then copied them all into one file massive CRL. I > have also, for testing, created a file with the root CRL data and the > CRL data for the CA which issued my Certificate. > > When I run the complete CRL, I run out of memory (271 MB CRL). When I > run just the root & my CA, it doesn't run out of memory, but it also > doesn't trigger the PIN prompt (I assume the crl check happens before > the PIN is checked?), and just displays "Page cannot be displayed." Just brainstorming: I wonder if there's some way to move that enormous CRL to an OCSP responder (which could manage its memory any way it likes) and just have Tomcat ask "is this one revoked?" I don't know if there's any way to get Tomcat to do that. I searched for "open source OCSP responder" and found some, so it shouldn't be too costly to put up your own if you have availability concerns. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu I don't do "doorbusters". pgpLNCz9kvV07.pgp Description: PGP signature
Re: ConnectionPoolMBean should not expose plain-text DB password
On Fri, Oct 05, 2012 at 05:11:57PM -0400, Christopher Schultz wrote: > On 10/5/12 1:51 PM, Te Li wrote: > > I am not familiar with JIoEndpoint discussed in > > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. > > > > The issue I'm facing is something different. Apparently, some > > effort was made to hide the DB password, but the DB password is > > still exposed via another getter (getDbProperties()). This seems to > > be a bug to me. > > > > DB passwords are highly sensitive information. JMX admins shouldn't > > see those either. It's not a reasonable assumption that it's okay > > for JMX admins to see exposed DB passwords (which should never be > > exposed in plaintext or encrypted form). Those who work in a > > company would probably concur with this point. > > I think most of us work at companies, and I happen to disagree with you. > > Tomcat passwords -- at least those in server.xml -- are in plain-text > form. All requests to obfuscate them have been denied because it is > simply not possible to properly secure them: the key always must be > available to the administrator in order to read the obfuscated > password and therefore any steps to "secure" the password are a charade. > > There is a wealth of knowledge available via JMX, and it should only > be exposed to administrators. Any JMX-enabled administrator will be > able to deploy an arbitrary webapp to go and fetch the data you are > trying to hide. You are wasting your time. Well, I agree with both of you. :-) The O.P. seems to want something like a military-style access control system, in which it is possible to set up a structure where *no one* has ultimate access; different roles have privileged access to different aspects of the operation. This is not an unreasonable desire. There are situations where it is advantageous (to the organization) to operate in such a way that there are things a single high-value captive cannot compromise. Compare this to everyday financial controls which require multiple signatures on a check or several individuals with different keys to open a safe. The highest authorities can order things done, but cannot do them. When wearing my sysadmin hat, I work hard to make sure that I do not have to know some of the secrets required to run our operation. OTOH I agree that Tomcat is not set up to give you a heterarchial access structure. Very few products are. I'm sure I never heard of most of them and suppose that few of you all have either. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpJKCQyXtpu7.pgp Description: PGP signature
Re: Not sure what to make of this, Re: bringing up HTTPS on Tomcat
On Thu, Oct 04, 2012 at 11:49:45AM -0700, James Lampert wrote: > We have a customer (who shall remain nameless), who had previously > ignored our instructions and used IBM DCM instead of Keytool to produce > a keystore, and had it signed, all the while blissfully ignorant of the > fact that none of it would be the least bit compatible with Tomcat. > > I just got an email from that customer, with this puzzling phrase: > > > Had to split it up into a .key and .crt file. This is the output. > > which was followed by the output from a keytool -printcert on the .crt file. > > The -printcert output looks sensible, with 9 "ObjectID" items in it. But > what do I make of their comment about having to "split it up"? My guess would be that they exported the private key and the corresponding public key certificate into separate files, but someone is thinking of all that as a single object for some reason. I have no idea what DCM is or does. Maybe it works with PKCS #12 files, which can carry both parts in a single container. Unless keytool has changed since the last time I fought with it, there is no way to tell it to ingest a private key. But the KeyStore class it manipulates seems to have the necessary methods, so you should be able to write something to do that. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpsj9A6LWcQ8.pgp Description: PGP signature
Re: very basic question about apache and tomcat
I've never tried with Tomcat, but it's not hard to get other Unix applications to authenticate against the Kerberos component of ADS. I logon to Linux every day with ADS credentials, using Kerberos. o Browsers will need to be set up to use GSSAPI authentication with the affected site. There's a plugin for Firefox that helps to manage the way it does this, where it's called Integrated Authentication for some reason. I don't know how to manage that in IE since there isn't an IE for Linux. :-/ o The server will need to offer GSSAPI authentication and know how to validate tickets. A lot of that is standard JRE equipment. http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html looks like good information on gluing it into Tomcat. If I were doing this, I'd first stop thinking of it as Windows or ADS authentication and think in terms of GSSAPI/Kerberos. Searching for "firefox kerberos authentication" showed me a lot of hits that might help you on the client side. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgp9LAw8gVbpY.pgp Description: PGP signature
Re: High load from tomcat, no users, no errors
Not just Debian; I had several Gentoo boxes get into this state. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpQqvHnxfAYd.pgp Description: PGP signature
Re: Initializing webapps in a certain order
On Wed, Mar 14, 2012 at 12:50:45PM +, Paul Singleton wrote: > On 14/03/2012 01:37, Caldarale, Charles R wrote: > > >> From: Warren Bell [mailto:warrenbe...@gmail.com] > >> Subject: Initializing webapps in a certain order > > >> Can you initialize webapps in a certain order ? > > > Read the FAQ: > > http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q27 > > > > The primary reason is that the servlet spec requires that each webapp be > > self-contained and independent. > > >> I have two apps, app1 and app2. app2 needs to access app1 during app2's > >> initialization. I need app1 to be initialized first and be done before > >> app2 starts to initialize. > > > Sounds like a bad plan. > > Sounds reasonable to me, that one service be designed to make use of > another service ;-) It's also reasonable to design a service so that it doesn't have to stall (or fail) *in the middle of startup* because a supporting service is not running yet. If they have to depend on each other, they might just start anyway, keep trying to make contact, and fire a message upon unreasonable delay. Or just return an error status (and hopefully an informative text) when dependent service A is asked for something that can't be done without the help of supporting service B which is not responding. You probably want that sort of fail-soft design anyway. That would be "self-contained and independent" in my book, since the app. can continue to operate and gives useful (if undesired) responses regardless of what any other app. is doing. Think of it as lazy initialization, driven by user requests instead of startup code. Startup of service or interactive programs should do only what is absolutely necessary to get the app. into a state in which it can respond, since there can be no guarantee that an arbitrary request will *ever* succeed. > We have OS services with explicit start-up dependencies, e.g. an issue > tracking system which uses an RDBMS, and I'd expect to be able to do > this with webapps. Ah, but that's not the same mechanism. There the OS works out the dependency tree and doesn't start service A until supporting service B indicates successful startup. There's no such centralized dependency analysis in a servlet container; the app.s start in any order the container may choose and then stumble over missing dependencies. I think it could be argued that the servlet spec. makes startup ordering by the container an explicit non-requirement, so you couldn't count on it at another site or in another container version anyway. If you're going to make them dependent then you have to provide the whole dependency resolution mechanism. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpZJLaxkL0af.pgp Description: PGP signature
Re: Tomcat advantages
But does it also walk dogs? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpavqdMWRTQY.pgp Description: PGP signature
Re: Running Tomcat on Port 80 with Fedora 16 without IP tables redirect
On Tue, Feb 07, 2012 at 12:06:12PM -0600, Ole Ersoy wrote: > Thanks Andre and John. I used jsvc to run tomcat before. Maybe > that's what got me around the root user restriction. That is exactly what it is for, and I can't imagine why every distro doesn't use it instead of the arcane scripting that I've seen employed. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgp77CHMbG39e.pgp Description: PGP signature
Re: Regarding compatibility
Nah, just fork it off of FreeQuantumLoopGravity. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpqF1xStOMTh.pgp Description: PGP signature
Re: Please somebody can translate this configuration in tomcat form for server.xml or another xml config file?
On Fri, Jan 27, 2012 at 01:34:30PM +0100, Thomas Rohde wrote: > Am 27.01.2012 13:23, schrieb Luciano Andress Martini: > > I need to do this in tomcat6: > > Apache2 form: > > > > Order allow,deny > > deny from all > > > You need to define a Remote Adress Filter for your Context, Host or > Engine. See > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter > > for more details. > > I think > > > > should work for you. No, I think that just denies access to the entire Context, Host, or Engine from clients at any address. The HTTPD config fragment above keeps all clients out of a single directory (and its subdirectories, unless overridden by another Directory element). -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgp1yHqqbQEK3.pgp Description: PGP signature
Re: About certificates in Tomcat SSL support
On Thu, Jan 12, 2012 at 09:14:28AM -0800, James Lampert wrote: > Scenario: > > I created a self-signed certificate for the box I was testing: > CN = James Lampert As already pointed out, there's your problem. To identify a networked service, the value of CN should be the FQDN of the host providing the service. (This is why people suddenly became interested in securing DNS: we are relying on it to validate certificate bindings to services!) Yes, the prompts are confusing. A recent release of OpenSSL, for example, just updated the CN prompt from "Common Name (eg, YOUR name)" to "Common Name (e.g. server FQDN or YOUR name)". > OU = Development Lab > O = Touchtone Corporation > L = Costa Mesa > ST = California > C = US > > I then installed it into the Tomcat server on that box. Connecting to > the site with Firefox, I was told that the certificate was not trusted, > and asked whether to trust it. After I said to trust it, Firefox now > lets me in without further question. Yup. A certificate not already trusted must be validated by a higher authority. If it is signed by another certificate, that is the authority (subject to validation itself); if self-signed, the only available higher authority is you. > Then, I temporarily installed the certificate on a customer's Tomcat > server, just to verify that SSL support was working there. When I > connected to it with Firefox, the initial message questioning the > validity of the certificate said something about it being for a > different server (so far as I'm aware, it isn't for *any* particular > server). I would consider that the proper behavior. > Looking at the two Tomcat servers in Microsloth Imploder, even after > telling it to trust the certificate, I consistently get a message, "The > security certificate presented by this website was issued for a > different website's address." I'm concerned that you did *not* get this from the first instance of Firefox, since that cert. couldn't possibly identify *any* networked service. The browser should complain, because there is no DNS domain named "James Lampert". > Looking at the two Tomcat servers in a different version of Firefox, on > a different WinDoze box, both Tomcat servers give me the message, that > it is not trusted because it is self-signed, and that it is only valid > for James Lampert. Every root CA certificate is self-signed. Your cert. is not trusted because no one told the client to trust the certificate at the top of the chain of signatures which, for a self-signed certificate, is that very certificate. There's nothing inherent in any certificate which makes it trustworthy; someone has to tell each client which authorities to trust, thus which end certificates it can validate without help. Browsers usually don't kick up a fuss because their makers have made that trust decision for you with regard to bales of CAs' certificates before you got your copy of the browser. > Also: we have a CA-signed certificate that we use to sign JARs. Is that > the same sort of certificate used for Tomcat? In that both are (presumably) X.509 certificates, yes. Otherwise you need to describe "same sort" more precisely. Typically you would want to use a cert. signed by a well-known CA, so that most browsers will have already been told to trust that CA and so will be able to validate your certificate without bothering the user. If you coin your own cert.s then anyone who uses the affected servers will have to add those cert.s to their truststores or put up with the "are you sure you want to trust these guys?" dialog every time they visit. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpKV6HHHE0Jj.pgp Description: PGP signature
Re: Tomcat memory allocation
On Fri, Dec 09, 2011 at 02:52:23PM -, Martin O'Shea wrote: > Thanks for this Chuck. I realise now what is happening. I thought the > PermGen space was used in the heap when now I see it as just storing class > definitions. So I could reduce it below 128Mb if I choose. Is there a > default value? There are defaults for all of the settings, in Java not Tomcat. But defaults are irrelevant in production. Tuning is always with respect to your workload, not someone else's averages. You need to give more resources to your application until it starts and runs under modest load, then monitor its resource utilization and make further adjustments to give it enough headroom for unexpected load spikes without wasting resources which will never be used. Then monitor periodically to be sure you haven't missed anything. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpdLXWljzavv.pgp Description: PGP signature
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
On Thu, Dec 01, 2011 at 12:38:01PM +0100, Mikolaj Rydzewski wrote: > On the other hand, increasing java heap size is not always the best > option. It heavily depends on memory usage pattern in your application. > In general: the bigger heap, the longer GC will run. I was thinking that someone should bring this up. When a program uses unexpectedly huge amounts of memory in practice, the *first* thing to consider is: 1. does it actually need that much? 2. ...or is it leaking dynamically created objects? 3. ...or has cheap allocation and garbage collection lured me into doing something suboptimal, like sucking down an entire database table into an array or list and then walking it sequentially, when I could have used an iterator and let the DBMS code work out near-optimal buffering? IOW "is my problem fundamentally this big, or is something else going on?" -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpIowkiM39ep.pgp Description: PGP signature
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
The OS has little to do with the calculation. The CPU hardware is doing it. The processor's address logic uses registers which are wider than 32 bits. Just as you can add a 1-digit number to a 3-digit number and get a 3-digit result, the widget that maps a process' virtual address space to the hardware's physical address space can add the content of a 32-bit register to the content of a 36-bit register and get a 36-bit result. (I'm ignoring the possibility of overflow, like adding 1 to 999 in a 3-digit field. With good management they can be avoided.) Only a tiny bit of the OS kernel, and nothing in any process, needs to know about physical memory. The hardware is set up by that bit and makes processes, and the rest of the kernel, think they each live in a block of memory that starts at 0 and ends at, say, 3GB. In physical memory they live side-by-side (to oversimplify a bit). For how it does that, track down a little story called The Paging Game. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpjKSIiRF27q.pgp Description: PGP signature
Re: [OT] JspServlet - Unexpected behavior, possible bug...
In addition to enriching the community (which helps *you* when we all treat it as the norm) and helping out others who may come along with similar problems, explaining how you worked it out gives you a chance to show how clever you were. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgptewAwUur2C.pgp Description: PGP signature
Re: Configure tomcat using init.d
On Fri, Oct 14, 2011 at 07:33:28AM -0700, Hassan Schroeder wrote: > On Fri, Oct 14, 2011 at 1:52 AM, ettoregia wrote: > > My system: Linux, the version I'don't know how to realize, since I've got > > just an ssh connection and typing some command I've not been able to > > discover it, maybe you can help me out on this as well. > > `cat /proc/version` should give you something useful. 'uname -a' is another possibility. > > Alright, I need to deploy .war file under tomcat that actually has 4 engines > > (5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under > > /conf/Catalina/localhost, of the engine 6.0.18, a file called > > .xml to specify the context path of my webApp then I would modify > > the server.xml to specify the jdbc connection and the like. As I've no > > rights to modify anything under the tomcat's home the IT guy told me to use > > the folder init.d/ in order to use any script at boot time to > > accomplish the configuration above. > > Huh? Your app's context path should be taken from the name of the > WAR file, No, his method (conf/Catalina/[engineName]/${contextName}.xml is the one I use all the time. It works well, and I can install the app wherever I like, and don't have to reinstall the whole thing every time I need to tweak a context parameter. > and the JDBC config should be contained in the WAR file > in a META-INF/context.xml file. or ${contextName}.xml where, again, it's much more accessible for tweaking. Either one is better than hacking server.xml, though, unless the data source is meant to be used by every app. > Nothing else required. Other than an better IT department. :-) This I can agree with. They don't allow application managers access to Tomcat's config., but anyone can drop stuff into /etc/init.d, whence it will run as root? Really? Something is not right here. That init script would need to start Yet Another Tomcat Instance. Is that what IT wants? That has implications for memory demand, port and address space, and linking among app.s. Maybe the IT guy understands how Tomcat works, but I think I would explore the possibility that he doesn't. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpvyER2Qn4t8.pgp Description: PGP signature
Re: Denying IPs using the Valve command in context.xml
On Tue, Oct 04, 2011 at 09:11:28PM +0200, Francis GALIEGUE wrote: > On Tue, Oct 4, 2011 at 21:08, Christopher Schultz > wrote: > [...] > > > > - From the docs: > > > > "If this attribute [allow] is specified, the remote address MUST match > > for this request to be accepted". > > > > "If this attribute [deny] is specified, the remote address MUST NOT > > match for this request to be accepted". > > > > I don't think Matacher.lookingAt is appropriate for this kind of checking. > > > > Well, it depends on the definition of "match", I guess. For me, a > regex matches an input if it matches anywhere in the input! Which is > pretty much the definition of regex matching, and which is why Java's > .matches() methods are misnomers... Hmmm, old SNOBOL coders may recall the handy concept of "anchored" (.matches(), .lookingAt()) vs. "unanchored" (.find()) matching. The actual difference between matches() and lookingAt() is that of matching the entire string vs. matching a prefix. Having said that, I think that an anchored partial match (lookingAt()) really is the least-bad fit to the address problem, since we're usually more concerned about the first, second, and perhaps third quads of an IP address and the trailing part is considered insignificant. As I posted previously, though, it's still pretty bad: how would you match a /27? Domain matches, OTOH, might take matches() as least-bad of the regex types, since the prefix tends to be the don't-care part. Again, though, since domain structure is significant, regex matching tends to require a lot of complexity that could be considered boilerplate: you almost always need to write all the fiddly escaped dots and stuff. (If you think SNOBOL is ancient: I'm trying to recall whether COMIT II embodied all of these concepts. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpk3QsMKeVYM.pgp Description: PGP signature
Re: Denying IPs using the Valve command in context.xml
Part of the problem with this valve is that regex matching is such a (IMHO) bizarre choice for IP address matching. IP addresses have a structure which is very unlike text, and the customary and expected matches take a bit of finagling to do in regexes. I should try writing netmask and CIDR address matchers. Likewise the hostname valve. Domain names also are structured, and people who have just discovered the valve may be expecting quite a different type of matching than what they get. I had to read the documentation very slowly and carefully before I could get the customary match styles out of my head. Again, I should try writing a DNS-style globber. It might be fun. (But don't hold your breath waiting for it.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpBlPBdN6hmN.pgp Description: PGP signature
Re: Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Consider something like: $ openssl rand -base64 32 DJaLgg+fcT8ygQVCd1uKcpLAuxGPmEWhv7j+aorobVs= if you want help coming up with reasonably hard-to-guess secrets. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpiuMMjY4F6L.pgp Description: PGP signature
Re: How to configure a web app
On Wed, Jun 09, 2010 at 05:20:22PM +0200, Thomas Kloeber wrote: > Mark H. Wood wrote on 09.06.2010 17:03: > > On Wed, Jun 09, 2010 at 04:19:17PM +0200, Thomas Kloeber wrote: > > > >> the problems I have are: > >> > >> * the IP address of the backing database is one of the parameters > >>that needs to be configured (in context.xml), so I can't get any > >>data from the db unless it is configured... > >> * the other confgurables (SPNEGO and kerberos stuff) are in web.xml > >>and as long as they are not set up correct, my app won't start! > >> * sounds like a catch 22 to me ... > >> > > Context parameter pointing to a properties file somewhere? Then you > > can put the settings wherever you want them, and move them anytime > > with minimal fuss. Install the app. outside of any appBase and use an > > external Context file > > ($CATALINA_BASE/conf/Catalina//.xml) > > to point to it and provide the parameter's value: > > > > > > > value='/some/where/else/myapp.properties' > > description='where the configurables are'/> > > > > > > You could just define the configurables as separate Parameters, but I > > would keep them separated from configuration of the servlet container > > (which the above is) if possible. Tastes vary. > > > sounds like a good idea, but what about the web.xml stuff? Can I use > some redirection there as well? I guess I don't understand why web.xml must be customized at all. In Tomcat, s can be configured in a ; entries can be made in a ; initialization parameters can be set in a . Is there something else? And Tomcat allows you to place the declaration outside of the app. as noted above. > Caldarale, Charles R wrote on 09.06.2010 17:04: > >> how do you "make changes in context.xml inside archive"? > >> > > Unpack it with the jar utility, update, repack. Alternatively, you can > > supply the element in a separate file, and have the admin put > > that in conf/Catalina/[host]/[appName].xml after modifying the > > site-specific attributes. > I was afraid you say something like that, but to me that is why to > complicated/error prone... I agree. This always feels to me like telling someone that he can configure his word processor by using a binary editor on the executable. Customers should never have to put their fingers inside the app; it should get customer-specific information from some place whose location is told to it at startup. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpwUHUXGxhao.pgp Description: PGP signature
Re: How to configure a web app
On Wed, Jun 09, 2010 at 04:19:17PM +0200, Thomas Kloeber wrote: > the problems I have are: > > * the IP address of the backing database is one of the parameters > that needs to be configured (in context.xml), so I can't get any > data from the db unless it is configured... > * the other confgurables (SPNEGO and kerberos stuff) are in web.xml > and as long as they are not set up correct, my app won't start! > * sounds like a catch 22 to me ... Context parameter pointing to a properties file somewhere? Then you can put the settings wherever you want them, and move them anytime with minimal fuss. Install the app. outside of any appBase and use an external Context file ($CATALINA_BASE/conf/Catalina//.xml) to point to it and provide the parameter's value: You could just define the configurables as separate Parameters, but I would keep them separated from configuration of the servlet container (which the above is) if possible. Tastes vary. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpGq2EHNiK1g.pgp Description: PGP signature
Re: Keeping tomcat up-to-date on linux
On Thu, May 20, 2010 at 02:03:24PM +1200, Dale Ogilvie wrote: > Hi, > > The current release is 6.0.26, March 2010. > > RHEL5.x is running with Tomcat 5.5. > > Fedora 12 is on 6.0.20, June 2009 vintage. > > Ubuntu 10.04 is on 6.0.24 from Jan 2010. Gentoo doesn't.have.versions.anymore is on 6.0.26 since around 30-Mar-2010. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgp3OyScLOssp.pgp Description: PGP signature
Re: Tomat monitoring
On Thu, May 20, 2010 at 01:24:04PM +0200, Ozgur Ozdemircili wrote: > Are we loosing the subject here a bit? While mentioning the "monitoring" I > refer to JVM monitoring. Heap usage etc. not the snmp monitoring. SNMP can be used to monitor just about anything that is measurable, so long as you find or create a relevant MIB and implementation. Such as: https://mhw.ulib.iupui.edu/Java/technotes/guides/management/snmp.html Take a look at the JVM-MANAGEMENT-MIB. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgp4eJMQDSBEu.pgp Description: PGP signature
Re: snort detecting ICMP traffic, tomcat?
On Tue, May 11, 2010 at 09:33:36AM -0500, Caldarale, Charles R wrote: > > From: James R. Marcus [mailto:jmar...@edhance.com] > > Subject: snort detecting ICMP traffic, tomcat? > > > > Could Tomcat be generating ICMP traffic to an IP accessing the server? > > No. Java is not capable of generating ICMP messages. That's not what ICMP Unreachable means. It's a response from the target host to a connection attempt by the requesting host which could or should not be accepted. It should be sent by the host's network stack, not anything in userspace, but it can be triggered by any program which requests a connection that is refused. Java certainly can evoke one of these, even if it can't send them. In this case (Host Administratively Prohibited), 121d59.pitzer.edu is saying, "I refuse to talk to you on any port." I have no idea what is requesting a connection to that host, or why. It sounds like someone's workstation ("121d59") is configured to refuse traffic from internal-only (10/8) addresses. It might be helpful to start up a packet monitor and sample the attempts, to see what port(s) are being requested. I find it interesting that there are two PTR records in DNS for that address, and the other one is to "jk-dc96425b8e." That's not the sort of name you expect from DNS. You might want to report that to someone at Pitzer College. A 'whois' query for pitzer.edu returns nothing, too. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpEM2NlwfWjQ.pgp Description: PGP signature
Re: Log4j logging doesn't work when a web application is moved outside Tomcat/webapps directory
On Wed, May 05, 2010 at 08:31:33AM -0500, Caldarale, Charles R wrote: > As always, don't put elements in server.xml. The above got you > double deployment of the foo webapp, once as foo, once as the default. > > Why do people invite problems when it's so easy to do things properly? Maybe because the documentation doesn't say it's improper; it says you can do this. Your advice in this matter makes good sense when you explain it, but nobody sees it until he runs into a problem and brings it here. I think a documentation update from you would be widely appreciated, and save you loads of time in the long run. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpRwq5u3Yj8X.pgp Description: PGP signature
Re: Tomcat 6.0.26 startup scripts changed from 6.0.18
Any chance that the stock scripts might someday use 'jsvc', since Tomcat is set up to run that way? Then Tomcat can be easily started as root (and won't have to worry about permission to create PID files) but run as someone else. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpcwjeRiWBBe.pgp Description: PGP signature
Re: [OT] Batch-processing of emailed log4j log messages
An alternative approach: you could pump the messages through a mailing-list digest builder. You may get 100 messages in five minutes, but you only get interrupted once. Sorry, I've never run a digested list so I don't have a name handy. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpKRZKNFSpY2.pgp Description: PGP signature
Re: [OT] Tomcat dies suddenly
Heh, when I was in another building I was issued an ADDS Viewpoint terminal which would, every so often, begin typing all by itself and quite at random. Eventually we determined that my cubicle was directly underneath an arc welding station in the welding shop one floor up, and when welding classes were in session the EMI was picked up by my keyboard. (Written from one of my xterms.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpu1LttJE0ti.pgp Description: PGP signature
Re: JSP Page "hangs"... clues?
On Wed, Feb 10, 2010 at 12:26:42PM -0800, Jordan Michaels wrote: > Yeah, it's hanging permanently. We've let it sit there for what... 15 > mins or so? Which should be plenty since no one is using it right now > except us. Maybe, maybe not. Did you monitor CPU and memory utilization, I/O load and I/O wait time on the server during one of these spells? I've seen a certain web browser get hold of some badly-written script or something, spend *minutes* blowing up to a huge size while running 100% of CPU the whole time with the UI completely unresponsive, then give all that memory back and continue as if nothing had happend. Maybe you've found a way to do something similar with Tomcat, but it takes 16 minutes to cycle. Just waiting until you think it's been long enough is not a very strong test. What's it doing while you wait? is a question you need to consider. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpv9cWBGPvLs.pgp Description: PGP signature
Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering
On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote: > 2010/1/21 Mark H. Wood > > > Reverse engineering is not a technical problem; it is a legal > > problem. You need a lawyer, not a program. > > > > Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / > around the things I want to keep, of a cost and quality appropriate to my > expected loss) as well as being able to engage a lawyer if required. The analogy is imprecise. If you lease a house to someone, you have no feasible technical means to control who enters your house -- the lessee possesses a key and can let in anyone he pleases. But you could write a lease which constrains the set of people lessee is permitted to allow in. (Dunno why, but you could.) The house would be useless to lessee without a key. Similarly a program, distributed to a user, would be useless unless an intelligible version can be loaded or derived by the user's equipment. But if the user's equipment can load or derive an intelligible version of the program, the program can be reverse-engineered. That's why software licenses almost always contain specific language about reverse engineering. In both cases the owner has *necessarily* given up technical control of the property, and can only exert control through legal means. You can't stop people abusing property that you hand over to them, but you may be able to punish them if they do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpQk69NLchSH.pgp Description: PGP signature